Default Fedora installation suffers from egregious configuration flaw
Kevin Fenzi
kevin at scrye.com
Thu May 19 16:42:42 UTC 2011
On Thu, 19 May 2011 09:08:06 -0600
Vincent Danen <vdanen at redhat.com> wrote:
> * [2011-05-19 07:18:38 -0600] Kevin Fenzi wrote:
...snip...
> >If it's brute force attacks that are the vector of concern, perhaps
> >we could look at a default hashlimit rule in front of the ssh. (ie, 1
> >attempt per minute or the like).
>
> Or simply have a page asking the user whether or not to enable ssh? I
> can't recall off the top of my head, but I believe there is a screen
> where you ask if you want the firewall enabled, right? Why not have a
> very obvious checkbox: "[ ] Enable ssh at boot" and if the user checks
> it off, set the firewall to allow ssh and turn ssh on. If the user
> does _not_ check it off (aka they are sitting back and saying "what
> is this ssh thing they speak of?") then have the firewall block port
> 22 and chkconfig ssh off.
>
> It's not difficult. Those who need ssh will know what it is and will
> turn it on. Those who don't (probably the majority) will leave it off
> and be protected.
>
> I think that would cover all areas of concern without
> unnecessary/needless rate-limiting or changing sshd_config, etc. And
> it's one more UI element during install (and presumably something that
> could set in a kickstart file as well as a result).
Sure. Feel free to suggest it/provide patches to the anaconda folks.
There may well be cases this doesn't handle, but they would know more
than I what those might be.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20110519/16a9a6bf/attachment-0001.bin
More information about the security
mailing list